Spoofed IP traffic (traffic containing packets with incorrect source IP addresses) is often used by Internet-based attackers for anonymity, to reduce the risk of trace-back and to avoid attack detection by network-based sensors. Attackers often spoof or disguise the identity of machines that are used to carry out an attack by falsifying the source address of the network communication. This makes it more difficult to detect and identify the sources of attack traffic and sometimes shifts attention away from the attackers and toward innocent third parties.
It is common for a skillful attacker to use an incorrect source IP address in attack traffic emanating from most widely used operating systems. Since IP routing is destination-based, spoofed IP packets are delivered to the intended target in the same way as non-spoofed IP packets. Spoofed IP packets are particularly prevalent in DDoS (Distributed Denial of Service) attacks, wherein an attacker can compel multiple intermediate compromised hosts to inundate a target host or network with a cumulatively high-volume IP traffic stream. Detection of such DDoS attacks by network-based sensors is difficult since spoofing ensures that traffic volume from individual hosts appears to be low.
In addition to high-volume attacks such as DDoS, relatively stealthy attacks may also employ spoofed IP packets. A notable example is the Slammer worm which sends out a single source IP spoofed UDP (User Datagram Protocol) packet that compromises the destination node. Thus, Spoofed IP traffic detection is a generic means by which to detect several different types of network attacks without using specialized detectors for each attack.
U.S. application Ser. No. 12/769,696 filed on Apr. 29, 2010 which is assigned to Telcordia, Technologies, Inc. et al. describes an apparatus and a method for detecting spoofed traffic using a training period where packets are examined for expected sources. An expected source table is constructed by examining historical traffic traces associated with a particular network interface. Source IP addresses in IP packets are correlated with origin AS information by leveraging BGP (Border Gateway Protocol) routing information or routing registries. If a packet with an origin AS “a” is observed at an interface “I”, AS “a” is added to the EAS number table set for interface “I”.
However, no inferences about source IP addresses (prefixes) that were not observed at the time the historical data was collected can be made.
Therefore, there is a need for a reliable and effective method and apparatus to detect network traffic with spoofed source IP addresses.